diff options
author | Damien Miller <djm@mindrot.org> | 2001-02-14 01:25:23 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2001-02-14 01:25:23 +1100 |
commit | 92ddb7d6f0d6a1942e27f75883d29dc0ea99223f (patch) | |
tree | 505a90486e59c722c4226a7c597b449f4b651529 | |
parent | 116b6bdda81d6647cc2742280c15b3f42ab3dd24 (diff) |
- (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams
<cmadams@hiwaay.net> with a little modification and KNF.
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | Makefile.in | 4 | ||||
-rw-r--r-- | auth-sia.c | 96 | ||||
-rw-r--r-- | auth-sia.h | 8 | ||||
-rw-r--r-- | auth1.c | 18 | ||||
-rw-r--r-- | auth2.c | 19 | ||||
-rw-r--r-- | session.c | 20 |
7 files changed, 116 insertions, 53 deletions
@@ -6,6 +6,8 @@ | |||
6 | from Nalin Dahyabhai <nalin@redhat.com> | 6 | from Nalin Dahyabhai <nalin@redhat.com> |
7 | - (bal) Missing function prototype in bsd-snprintf.c patch by | 7 | - (bal) Missing function prototype in bsd-snprintf.c patch by |
8 | Mark Miller <markm@swoon.net> | 8 | Mark Miller <markm@swoon.net> |
9 | - (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams | ||
10 | <cmadams@hiwaay.net> with a little modification and KNF. | ||
9 | 11 | ||
10 | 20010213 | 12 | 20010213 |
11 | - (djm) Only test -S potential EGD sockets if they exist and are readable. | 13 | - (djm) Only test -S potential EGD sockets if they exist and are readable. |
@@ -3922,4 +3924,4 @@ | |||
3922 | - Wrote replacements for strlcpy and mkdtemp | 3924 | - Wrote replacements for strlcpy and mkdtemp |
3923 | - Released 1.0pre1 | 3925 | - Released 1.0pre1 |
3924 | 3926 | ||
3925 | $Id: ChangeLog,v 1.757 2001/02/13 14:05:59 mouring Exp $ | 3927 | $Id: ChangeLog,v 1.758 2001/02/13 14:25:23 djm Exp $ |
diff --git a/Makefile.in b/Makefile.in index f64e25504..f9c48d29a 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -1,4 +1,4 @@ | |||
1 | # $Id: Makefile.in,v 1.150 2001/02/09 13:40:03 djm Exp $ | 1 | # $Id: Makefile.in,v 1.151 2001/02/13 14:25:23 djm Exp $ |
2 | 2 | ||
3 | prefix=@prefix@ | 3 | prefix=@prefix@ |
4 | exec_prefix=@exec_prefix@ | 4 | exec_prefix=@exec_prefix@ |
@@ -48,7 +48,7 @@ LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels | |||
48 | 48 | ||
49 | SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o | 49 | SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o |
50 | 50 | ||
51 | SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o | 51 | SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o |
52 | 52 | ||
53 | TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 | 53 | TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 |
54 | CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0 | 54 | CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh-keyscan.0 ssh.0 sshd.0 sftp-server.0 sftp.0 |
diff --git a/auth-sia.c b/auth-sia.c new file mode 100644 index 000000000..6fece555d --- /dev/null +++ b/auth-sia.c | |||
@@ -0,0 +1,96 @@ | |||
1 | #include "includes.h" | ||
2 | |||
3 | #ifdef HAVE_OSF_SIA | ||
4 | #include "ssh.h" | ||
5 | #include "auth-sia.h" | ||
6 | #include "log.h" | ||
7 | #include "servconf.h" | ||
8 | #include "canohost.h" | ||
9 | |||
10 | #include <sia.h> | ||
11 | #include <siad.h> | ||
12 | #include <pwd.h> | ||
13 | #include <signal.h> | ||
14 | #include <setjmp.h> | ||
15 | #include <sys/resource.h> | ||
16 | #include <unistd.h> | ||
17 | #include <string.h> | ||
18 | |||
19 | extern ServerOptions options; | ||
20 | extern int saved_argc; | ||
21 | extern char **saved_argv; | ||
22 | |||
23 | extern int errno; | ||
24 | |||
25 | int | ||
26 | auth_sia_password(char *user, char *pass) | ||
27 | { | ||
28 | int ret; | ||
29 | SIAENTITY *ent = NULL; | ||
30 | const char *host; | ||
31 | |||
32 | host = get_canonical_hostname(options.reverse_mapping_check); | ||
33 | |||
34 | if (!user || !pass) | ||
35 | return(0); | ||
36 | |||
37 | if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, | ||
38 | NULL) != SIASUCCESS) | ||
39 | return(0); | ||
40 | |||
41 | if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { | ||
42 | error("couldn't authenticate %s from %s", user, host); | ||
43 | if (ret & SIASTOP) | ||
44 | sia_ses_release(&ent); | ||
45 | return(0); | ||
46 | } | ||
47 | |||
48 | sia_ses_release(&ent); | ||
49 | |||
50 | return(1); | ||
51 | } | ||
52 | |||
53 | void | ||
54 | session_setup_sia(char *user, char *tty) | ||
55 | { | ||
56 | int ret; | ||
57 | struct passwd *pw; | ||
58 | SIAENTITY *ent = NULL; | ||
59 | const char *host; | ||
60 | |||
61 | host = get_canonical_hostname (options.reverse_mapping_check); | ||
62 | |||
63 | if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, | ||
64 | NULL) != SIASUCCESS) | ||
65 | fatal("sia_ses_init failed"); | ||
66 | |||
67 | if ((pw = getpwnam(user)) == NULL) { | ||
68 | sia_ses_release(&ent); | ||
69 | fatal("getpwnam(%s) failed: %s", user, strerror(errno)); | ||
70 | } | ||
71 | if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { | ||
72 | sia_ses_release(&ent); | ||
73 | fatal("sia_make_entity_pwd failed"); | ||
74 | } | ||
75 | |||
76 | ent->authtype = SIA_A_NONE; | ||
77 | if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) | ||
78 | fatal("couldn't establish session for %s from %s", user, | ||
79 | host); | ||
80 | |||
81 | if (setpriority(PRIO_PROCESS, 0, 0) == -1) { | ||
82 | sia_ses_release(&ent); | ||
83 | fatal("setpriority failed: %s", strerror (errno)); | ||
84 | } | ||
85 | |||
86 | if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) | ||
87 | fatal("couldn't launch session for %s from %s", user, host); | ||
88 | |||
89 | sia_ses_release(&ent); | ||
90 | |||
91 | if (setreuid(geteuid(), geteuid()) < 0) | ||
92 | fatal("setreuid failed: %s", strerror (errno)); | ||
93 | } | ||
94 | |||
95 | #endif /* HAVE_OSF_SIA */ | ||
96 | |||
diff --git a/auth-sia.h b/auth-sia.h new file mode 100644 index 000000000..eaa933322 --- /dev/null +++ b/auth-sia.h | |||
@@ -0,0 +1,8 @@ | |||
1 | #include "includes.h" | ||
2 | |||
3 | #ifdef HAVE_OSF_SIA | ||
4 | |||
5 | int auth_sia_password(char *user, char *pass); | ||
6 | void session_setup_sia(char *user, char *tty); | ||
7 | |||
8 | #endif /* HAVE_OSF_SIA */ | ||
@@ -12,11 +12,6 @@ | |||
12 | #include "includes.h" | 12 | #include "includes.h" |
13 | RCSID("$OpenBSD: auth1.c,v 1.15 2001/02/07 22:35:45 markus Exp $"); | 13 | RCSID("$OpenBSD: auth1.c,v 1.15 2001/02/07 22:35:45 markus Exp $"); |
14 | 14 | ||
15 | #ifdef HAVE_OSF_SIA | ||
16 | # include <sia.h> | ||
17 | # include <siad.h> | ||
18 | #endif | ||
19 | |||
20 | #include "xmalloc.h" | 15 | #include "xmalloc.h" |
21 | #include "rsa.h" | 16 | #include "rsa.h" |
22 | #include "ssh1.h" | 17 | #include "ssh1.h" |
@@ -36,10 +31,6 @@ extern char *forced_command; | |||
36 | #ifdef WITH_AIXAUTHENTICATE | 31 | #ifdef WITH_AIXAUTHENTICATE |
37 | extern char *aixloginmsg; | 32 | extern char *aixloginmsg; |
38 | #endif /* WITH_AIXAUTHENTICATE */ | 33 | #endif /* WITH_AIXAUTHENTICATE */ |
39 | #ifdef HAVE_OSF_SIA | ||
40 | extern int saved_argc; | ||
41 | extern char **saved_argv; | ||
42 | #endif /* HAVE_OSF_SIA */ | ||
43 | 34 | ||
44 | /* | 35 | /* |
45 | * convert ssh auth msg type into description | 36 | * convert ssh auth msg type into description |
@@ -98,6 +89,8 @@ do_authloop(Authctxt *authctxt) | |||
98 | #endif | 89 | #endif |
99 | #ifdef USE_PAM | 90 | #ifdef USE_PAM |
100 | auth_pam_password(pw, "")) { | 91 | auth_pam_password(pw, "")) { |
92 | #elif defined(HAVE_OSF_SIA) | ||
93 | 0) { | ||
101 | #else | 94 | #else |
102 | auth_password(pw, "")) { | 95 | auth_password(pw, "")) { |
103 | #endif | 96 | #endif |
@@ -265,11 +258,8 @@ do_authloop(Authctxt *authctxt) | |||
265 | authenticated = auth_pam_password(pw, password); | 258 | authenticated = auth_pam_password(pw, password); |
266 | #elif defined(HAVE_OSF_SIA) | 259 | #elif defined(HAVE_OSF_SIA) |
267 | /* Do SIA auth with password */ | 260 | /* Do SIA auth with password */ |
268 | if (sia_validate_user(NULL, saved_argc, saved_argv, | 261 | authenticated = auth_sia_password(authctxt->user, |
269 | get_canonical_hostname(options.reverse_mapping_check), | 262 | password); |
270 | authctxt->user?authctxt->user:"NOUSER", NULL, | ||
271 | 0, NULL, password) == SIASUCCESS) | ||
272 | authenticated = 1; | ||
273 | #else /* !USE_PAM && !HAVE_OSF_SIA */ | 263 | #else /* !USE_PAM && !HAVE_OSF_SIA */ |
274 | /* Try authentication with the password. */ | 264 | /* Try authentication with the password. */ |
275 | authenticated = auth_password(pw, password); | 265 | authenticated = auth_password(pw, password); |
@@ -25,11 +25,6 @@ | |||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2.c,v 1.40 2001/02/10 12:52:02 markus Exp $"); | 26 | RCSID("$OpenBSD: auth2.c,v 1.40 2001/02/10 12:52:02 markus Exp $"); |
27 | 27 | ||
28 | #ifdef HAVE_OSF_SIA | ||
29 | # include <sia.h> | ||
30 | # include <siad.h> | ||
31 | #endif | ||
32 | |||
33 | #include <openssl/evp.h> | 28 | #include <openssl/evp.h> |
34 | 29 | ||
35 | #include "ssh2.h" | 30 | #include "ssh2.h" |
@@ -61,10 +56,6 @@ extern int session_id2_len; | |||
61 | #ifdef WITH_AIXAUTHENTICATE | 56 | #ifdef WITH_AIXAUTHENTICATE |
62 | extern char *aixloginmsg; | 57 | extern char *aixloginmsg; |
63 | #endif | 58 | #endif |
64 | #ifdef HAVE_OSF_SIA | ||
65 | extern int saved_argc; | ||
66 | extern char **saved_argv; | ||
67 | #endif | ||
68 | 59 | ||
69 | static Authctxt *x_authctxt = NULL; | 60 | static Authctxt *x_authctxt = NULL; |
70 | static int one = 1; | 61 | static int one = 1; |
@@ -346,10 +337,7 @@ userauth_none(Authctxt *authctxt) | |||
346 | #ifdef USE_PAM | 337 | #ifdef USE_PAM |
347 | return auth_pam_password(authctxt->pw, ""); | 338 | return auth_pam_password(authctxt->pw, ""); |
348 | #elif defined(HAVE_OSF_SIA) | 339 | #elif defined(HAVE_OSF_SIA) |
349 | return (sia_validate_user(NULL, saved_argc, saved_argv, | 340 | return 0; |
350 | get_canonical_hostname(options.reverse_mapping_check), | ||
351 | authctxt->user?authctxt->user:"NOUSER", NULL, 0, | ||
352 | NULL, "") == SIASUCCESS); | ||
353 | #else /* !HAVE_OSF_SIA && !USE_PAM */ | 341 | #else /* !HAVE_OSF_SIA && !USE_PAM */ |
354 | return auth_password(authctxt->pw, ""); | 342 | return auth_password(authctxt->pw, ""); |
355 | #endif /* USE_PAM */ | 343 | #endif /* USE_PAM */ |
@@ -374,10 +362,7 @@ userauth_passwd(Authctxt *authctxt) | |||
374 | #ifdef USE_PAM | 362 | #ifdef USE_PAM |
375 | auth_pam_password(authctxt->pw, password) == 1) | 363 | auth_pam_password(authctxt->pw, password) == 1) |
376 | #elif defined(HAVE_OSF_SIA) | 364 | #elif defined(HAVE_OSF_SIA) |
377 | sia_validate_user(NULL, saved_argc, saved_argv, | 365 | auth_sia_password(authctxt->user, password) == 1) |
378 | get_canonical_hostname(options.reverse_mapping_check), | ||
379 | authctxt->user?authctxt->user:"NOUSER", NULL, 0, NULL, | ||
380 | password) == SIASUCCESS) | ||
381 | #else /* !USE_PAM && !HAVE_OSF_SIA */ | 366 | #else /* !USE_PAM && !HAVE_OSF_SIA */ |
382 | auth_password(authctxt->pw, password) == 1) | 367 | auth_password(authctxt->pw, password) == 1) |
383 | #endif /* USE_PAM */ | 368 | #endif /* USE_PAM */ |
@@ -72,11 +72,6 @@ RCSID("$OpenBSD: session.c,v 1.55 2001/02/08 19:30:52 itojun Exp $"); | |||
72 | #include <usersec.h> | 72 | #include <usersec.h> |
73 | #endif | 73 | #endif |
74 | 74 | ||
75 | #ifdef HAVE_OSF_SIA | ||
76 | # include <sia.h> | ||
77 | # include <siad.h> | ||
78 | #endif | ||
79 | |||
80 | #ifdef HAVE_CYGWIN | 75 | #ifdef HAVE_CYGWIN |
81 | #include <windows.h> | 76 | #include <windows.h> |
82 | #include <sys/cygwin.h> | 77 | #include <sys/cygwin.h> |
@@ -1051,21 +1046,8 @@ do_child(const char *command, struct passwd * pw, const char *term, | |||
1051 | switch, so we let login(1) to this for us. */ | 1046 | switch, so we let login(1) to this for us. */ |
1052 | if (!options.use_login) { | 1047 | if (!options.use_login) { |
1053 | #ifdef HAVE_OSF_SIA | 1048 | #ifdef HAVE_OSF_SIA |
1054 | extern char **saved_argv; | ||
1055 | extern int saved_argc; | ||
1056 | char *host = get_canonical_hostname(options.reverse_mapping_check); | ||
1057 | |||
1058 | if (sia_become_user(NULL, saved_argc, saved_argv, host, | ||
1059 | pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) != | ||
1060 | SIASUCCESS) { | ||
1061 | perror("sia_become_user"); | ||
1062 | exit(1); | ||
1063 | } | ||
1064 | if (setreuid(geteuid(), geteuid()) < 0) { | ||
1065 | perror("setreuid"); | ||
1066 | exit(1); | ||
1067 | } | ||
1068 | #else /* HAVE_OSF_SIA */ | 1049 | #else /* HAVE_OSF_SIA */ |
1050 | session_setup_sia(pw->pw_name, ttyname); | ||
1069 | #ifdef HAVE_CYGWIN | 1051 | #ifdef HAVE_CYGWIN |
1070 | if (is_winnt) { | 1052 | if (is_winnt) { |
1071 | #else | 1053 | #else |